What is a spamtrap?

10 February 2020

One of the issues that I get to deal with in policy enforcement is handling complaints about customers sending messages to “spamtraps.” This invariably leads to a discussion about what, exactly, is a spamtrap?

There are a lot of different answers out there. For instance, a 2019 blog post at Validity asserts that it is a “fraud management tool” to “lure spam” from spammers by means of “list poisoning” ​(Atwater and Wetherbee 2019)​. On the other hand, The Spamhaus Project gives this definition on its glossary page:

Spamtraps are email addresses which do not belong to real users and are used by various reputation systems to highlight illegitimate senders who add email addresses to their lists without obtaining prior permission. They are also very effective in identifying email marketers with poor permission and list management practices.

​(The Spamhaus Project 2019)​

My definition

My own definition of a spamtrap tends to read something like this: “A spamtrap is an address which does not belong to an actual person, but is used as part of a system generally intended to gather evidence indicating poor execution of best practices by list owners.”

Let’s break that down just a little…

Spamtraps are email addresses. While I suppose that it will not be long before mobile providers engage in similar strategies, it’s still pretty safe to say that when we are discussing “spamtraps” that we are discussing email addresses.

Those email addresses are owned by different players in the field. Some spamtraps are owned by reputation monitoring systems ranging from DNSBLs (like Spamhaus) to spam/virus/security filtering companies (such as Proofpoint) to deliverability toolset providers (such as Validity/ReturnPath or 250ok) to mailbox providers. What all of these spamtraps have in common is that they receive all messages sent to them, but there is no real person there to receive those messages. All messages received are generally going into automated systems for classification and/or review.

Further, there are different types of spamtraps. While certainly not exhaustive, here are a few of the major types:

Pristine traps. Some spamtraps have never been used before in the history of the Internet. I know of one person, for instance, who has a series of spamtraps which are derived from message IDs. Those addresses have never actually been email addresses, they were only derived from a field which looks like an email address. But, I have also known of cases where the spamtraps were in domains that had never been used at all (no website, no mail server, etc.).

Repurposed traps. These spamtraps are usually found in mail sent to formerly used domains. My usual example would be for a company that had existed during the dot-com bubble of the 1990s but had gone bankrupt when the bubble burst right around 2000. A trap operator may have found that old, no longer used domain, and purchased it to see what kind of mail is being sent to almost 20 years later.

Typo traps. These are usually domain-based. The trap operator will obtain a domain name that is very similar to, but not quite the same as, a well-known domain or brand. My usual example for this type would be to get the domain “comcats.net” which is only one letter transposition away from the much better known “comcast.net” domain. These traps, in particular, are usually used to find poor list collection practices in the form of a lack of proper validation and confirmation.

Seed addresses. These would be addresses that have been offered up for collection in order to ascertain if the collector will misuse the data. For instance, a company may give its salespeople contact lists with one or more seed addresses in order to ensure that the data isn’t being sold or shared with unauthorized third parties. Or, Lashback offers a DNSBL which it claims is populated by messages received at Lashback-owned addresses which were entered into a company’s unsubscription forms ​(Lashback, LLC 2016)​.

According to the M3AAWG Spamtrap Operations BCP, there are a number of reasons why spamtraps may exist:

Refining local spam filters

Creating reputation lists, including DNS-Based Black Lists (DNSBLs), based on a variety of heuristics

But, every instance of a spamtrap being on a given list is not necessarily indicative of a breach of best practices. For instance, the owner of the spamtrap may actually be poisoning the list in order to detect data leakage. (For instance, the trap owner may actually be the list owner who suspects a data leak, such as an employee who is selling the company’s customer and/or user lists to competitors or data brokers, as in the seedlist example above.) In that case, the presence of a spamtrap on the customer’s own list is not indicative of a breach of best practices. But, if that spamtrap turned up on someone else’s list, that would indicate the use of rented, purchased, or traded data — a definite breach of best practices.

Additionally, it’s possible that the trap owner is not following best practices. For instance, it’s entirely possible that the owner of the spamtrap did not properly condition the trap by bouncing messages for a period of at least 12 contiguous months (see page 3 of the M3AAWG BCP for details). Thus, the list owner was given an insufficient opportunity to notice that an email address that was legitimately added to their list is no longer in use and should be removed.

But, these are exceptions. In more than 95% of the cases that I have worked over the last 20 years which have involved spamtraps, the spamtraps came into the list through the use of list purchases, rentals, or appends. Further, the specific traps which were used to find and flag these cases were intended to find mailers who were sending to non-permission data.

What it all means…

Generally speaking, a spamtrap is an address that is intended to help locate list owners who are not following best practices. Thus, the presence of a spamtrap on a list indicates that there is data on a list that should not be there. And, usually, from my viewpoint in policy enforcement, that data is there because someone is either not maintaining their list, is engaged in dangerous collection or retention practices, or is directly violating policy by purchasing, renting, appending, or trading data.